rodauth 2.5.0 → 2.10.0

data/doc/release_notes/2.7.0.txt

@@ -0,0 +1,33 @@
+= New Features
+
+* An auto_remove_recovery_codes? configuration method has been added
+  to the recovery_codes feature.  This will automatically remove
+  recovery codes when the last multifactor authentication type other
+  than the recovery codes has been removed.
+
+* The jwt_access_expired_status and expired_jwt_access_token_message
+  configuration methods have been added to the jwt_refresh feature,
+  for supporting custom statuses and messages for expired tokens.
+
+= Other Improvements
+
+* Rodauth will no longer attempt to require a feature that has
+  already been required.  Related to this is you can now use a
+  a custom Rodauth feature without a rodauth/features/*.rb file
+  in the Ruby library path, as long as you load the feature
+  manually.
+
+* Rodauth now avoids method redefinition warnings in verbose
+  warning mode.  As Ruby 3 is dropping uninitialized instance
+  variable warnings, Rodauth will be verbose warning free in
+  Ruby 3.
+
+= Backwards Compatibility
+
+* The default remember cookie path is now set to '/'. This fixes
+  usage in the case where rodauth is loaded under a subpath of the
+  application (which is not the default behavior).  Unfortunately,
+  this change can negatively affect cases where multiple rodauth
+  configurations are used in separate paths on the same domain.
+  In these cases, you should now use remember_cookie_options and
+  include a :path option.

data/doc/release_notes/2.8.0.txt

@@ -0,0 +1,20 @@
+= Improvements
+
+* HttpOnly is now set by default on the remember cookie, so it is no
+  longer accessible from Javascript.  This is a more secure approach
+  that makes applications using Rodauth's remember feature less
+  vulnerable in case they are subject to a separate XSS attack.
+
+* When using the jwt feature, rodauth.clear_session now clears the
+  JWT session even when the Roda sessions plugin was in use.  In most
+  cases, the jwt feature is not used with the Roda sessions plugin,
+  but in cases where the same application serves as both an JSON API
+  and as a HTML site, it is possible the two may be used together.
+
+= Backwards Compatibility
+
+* As the default remember cookie :httponly setting is now set to true,
+  applications using Rodauth that expected to be able to access the
+  remember cookie from Javascript will no longer work by default.
+  In these cases, you should now use remember_cookie_options and
+  include a :httponly=>false option.

data/doc/release_notes/2.9.0.txt

@@ -0,0 +1,21 @@
+= New Features
+
+* A json feature has been extracted from the existing jwt feature.
+  This feature allows for the same JSON API previously supported
+  by the JWT feature, but stores the session information in the
+  Rack session instead of in a separate JWT.  This makes it
+  significantly easier to have certain pages use the JSON API,
+  and other pages the HTML forms.
+
+= Other Improvements
+
+* If the remember cookie is created in an SSL request, the Secure
+  flag is added by default, so the cookie will not be transmitted
+  in non-SSL requests.
+
+= Backwards Compatibility
+
+* Rodauth configurations that use the remember feature and support
+  requests over both http and https and want to have the remember
+  cookie transmitted over both should now include :secure=>false in
+  remember_cookie_options.

data/doc/remember.rdoc

@@ -35,7 +35,7 @@ raw_remember_token_deadline :: A deadline before which to allow a raw remember t
 remember_additional_form_tags :: HTML fragment containing additional form tags to use on the change remember setting form.
 remember_button :: The text to use for the change remember settings button.
 remember_cookie_key :: The cookie name to use for the remember token.
-remember_cookie_options :: Any options to set for the remember cookie.
+remember_cookie_options :: Any options to set for the remember cookie. By default, the `:path` cookie option is set to `/` and `:httponly` is set to `true`. Also, `:secure` is set to `true` by default if the current request is an HTTPS request.
 remember_deadline_column :: The column name in the +remember_table+ storing the deadline after which the token will be ignored.
 remember_deadline_interval :: The amount of time for which to remember accounts, 14 days by default.  Only used if +set_deadline_values?+ is true.
 remember_disable_label :: The label for disabling remembering.

data/javascript/webauthn_auth.js

@@ -1,34 +1,34 @@
 (function() {
+  var pack = function(v) { return btoa(String.fromCharCode.apply(null, new Uint8Array(v))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); };
+  var unpack = function(v) { return Uint8Array.from(atob(v.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0)); };
   var element = document.getElementById('webauthn-auth-form');
   var f = function(e) {
     //console.log(e);
     e.preventDefault();
     if (navigator.credentials) {
       var opts = JSON.parse(element.getAttribute("data-credential-options"));
-      opts.challenge = Uint8Array.from(atob(opts.challenge.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
-      opts.allowCredentials.forEach(function(cred) {
-        cred.id = Uint8Array.from(atob(cred.id.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
-      });
+      opts.challenge = unpack(opts.challenge);
+      opts.allowCredentials.forEach(function(cred) { cred.id = unpack(cred.id); });
       //console.log(opts);
       navigator.credentials.get({publicKey: opts}).
         then(function(cred){
           //console.log(cred);
           //window.cred = cred
 
-          var rawId = btoa(String.fromCharCode.apply(null, new Uint8Array(cred.rawId))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+          var rawId = pack(cred.rawId);
           var authValue = {
             type: cred.type,
             id: rawId,
             rawId: rawId,
             response: {
-              authenticatorData: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.authenticatorData))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''),
-              clientDataJSON: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.clientDataJSON))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''),
-              signature: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.signature))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')
+              authenticatorData: pack(cred.response.authenticatorData),
+              clientDataJSON: pack(cred.response.clientDataJSON),
+              signature: pack(cred.response.signature)
             }
           };
 
           if (cred.response.userHandle) {
-            authValue.response.userHandle = btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.userHandle))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+            authValue.response.userHandle = pack(cred.response.userHandle);
           }
 
           document.getElementById('webauthn-auth').value = JSON.stringify(authValue);

data/javascript/webauthn_setup.js

@@ -1,26 +1,29 @@
 (function() {
+  var pack = function(v) { return btoa(String.fromCharCode.apply(null, new Uint8Array(v))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''); };
+  var unpack = function(v) { return Uint8Array.from(atob(v.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0)); };
   var element = document.getElementById('webauthn-setup-form');
   var f = function(e) {
     //console.log(e);
     e.preventDefault();
     if (navigator.credentials) {
       var opts = JSON.parse(element.getAttribute("data-credential-options"));
-      opts.challenge = Uint8Array.from(atob(opts.challenge.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
-      opts.user.id = Uint8Array.from(atob(opts.user.id.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
+      opts.challenge = unpack(opts.challenge);
+      opts.user.id = unpack(opts.user.id);
+      opts.excludeCredentials.forEach(function(cred) { cred.id = unpack(cred.id); });
       //console.log(opts);
       navigator.credentials.create({publicKey: opts}).
         then(function(cred){
           //console.log(cred);
           //window.cred = cred
-          
-          var rawId = btoa(String.fromCharCode.apply(null, new Uint8Array(cred.rawId))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+
+          var rawId = pack(cred.rawId);
           document.getElementById('webauthn-setup').value = JSON.stringify({
             type: cred.type,
             id: rawId,
             rawId: rawId,
             response: {
-              attestationObject: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.attestationObject))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, ''),
-              clientDataJSON: btoa(String.fromCharCode.apply(null, new Uint8Array(cred.response.clientDataJSON))).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')
+              attestationObject: pack(cred.response.attestationObject),
+              clientDataJSON: pack(cred.response.clientDataJSON)
             }
           });
           element.removeEventListener("submit", f);

data/lib/rodauth.rb

@@ -66,6 +66,7 @@ module Rodauth
       define_method(meth) do |&block|
         @auth.send(:define_method, meth, &block)
         @auth.send(:private, meth) if priv
+        @auth.send(:alias_method, meth, meth)
       end
     end
 
@@ -74,6 +75,7 @@ module Rodauth
       define_method(meth) do |&block|
         @auth.send(:define_method, umeth, &block)
         @auth.send(:private, umeth)
+        @auth.send(:alias_method, umeth, umeth)
       end
     end
 
@@ -82,6 +84,7 @@ module Rodauth
         block ||= proc{v}
         @auth.send(:define_method, meth, &block)
         @auth.send(:private, meth) if priv
+        @auth.send(:alias_method, meth, meth)
       end
     end
   end
@@ -120,8 +123,10 @@ module Rodauth
       define_method(handle_meth) do
         request.is send(route_meth) do
           check_csrf if check_csrf?
-          before_rodauth
-          send(internal_handle_meth, request)
+          _around_rodauth do
+            before_rodauth
+            send(internal_handle_meth, request)
+          end
         end
       end
 
@@ -238,6 +243,7 @@ module Rodauth
           instance_variable_set(iv, send(umeth))
         end
       end
+      alias_method(meth, meth)
       auth_private_methods(meth)
     end
 
@@ -288,15 +294,17 @@ module Rodauth
     end
 
     def enable(*features)
-      new_features = features - @auth.features
-      new_features.each{|f| load_feature(f)}
-      @auth.features.concat(new_features)
+      features.each do |feature|
+        next if @auth.features.include?(feature)
+        load_feature(feature)
+        @auth.features << feature
+      end
     end
 
     private
 
     def load_feature(feature_name)
-      require "rodauth/features/#{feature_name}"
+      require "rodauth/features/#{feature_name}" unless FEATURES[feature_name]
       feature = FEATURES[feature_name]
       enable(*feature.dependencies)
       extend feature.configuration

data/lib/rodauth/features/argon2.rb

@@ -0,0 +1,69 @@
+# frozen-string-literal: true
+
+require 'argon2'
+
+# :nocov:
+if !defined?(Argon2::VERSION) || Argon2::VERSION < '2'
+  raise LoadError, "argon2 version 1.x not supported as it does not support argon2id hashes"
+end
+# :nocov:
+
+module Rodauth
+  Feature.define(:argon2, :Argon2) do
+    depends :login_password_requirements_base
+
+    auth_value_method :use_argon2?, true
+
+    private
+
+    def password_hash_cost
+      return super unless use_argon2?
+      argon2_hash_cost 
+    end
+
+    def password_hash(password)
+      return super unless use_argon2?
+      ::Argon2::Password.new(password_hash_cost).create(password)
+    end
+
+    def password_hash_match?(hash, password)
+      return super unless argon2_hash_algorithm?(hash)
+      argon2_password_hash_match?(hash, password)
+    end
+
+    def password_hash_using_salt(password, salt)
+      return super unless argon2_hash_algorithm?(salt)
+
+      argon2_params = Hash[extract_password_hash_cost(salt)]
+      argon2_params[:salt_do_not_supply] = Base64.decode64(salt.split('$').last)
+      ::Argon2::Password.new(argon2_params).create(password)
+    end
+
+    def extract_password_hash_cost(hash)
+      return super unless argon2_hash_algorithm?(hash )
+
+      /\A\$argon2id\$v=\d+\$m=(\d+),t=(\d+)/ =~ hash
+      { t_cost: $2.to_i, m_cost: Math.log2($1.to_i).to_i }
+    end
+
+    if ENV['RACK_ENV'] == 'test'
+      def argon2_hash_cost
+        {t_cost: 1, m_cost: 3}
+      end
+    # :nocov:
+    else
+      def argon2_hash_cost
+        {t_cost: 2, m_cost: 16}
+      end
+    end
+    # :nocov:
+
+    def argon2_hash_algorithm?(hash)
+      hash.start_with?('$argon2id$')
+    end
+
+    def argon2_password_hash_match?(hash, password)
+      ::Argon2::Password.verify_password(password, hash)
+    end
+  end
+end

data/lib/rodauth/features/base.rb

@@ -102,7 +102,6 @@ module Rodauth
       :set_redirect_error_flash,
       :set_title,
       :translate,
-      :unverified_account_message,
       :update_session
     )
 
@@ -111,7 +110,8 @@ module Rodauth
       :account_from_session,
       :field_attributes,
       :field_error_attributes,
-      :formatted_field_error
+      :formatted_field_error,
+      :around_rodauth
     )
 
     configuration_module_eval do
@@ -260,6 +260,7 @@ module Rodauth
       @password_field_autocomplete_value || 'current-password'
     end
 
+    alias account_password_hash_column account_password_hash_column
     # If the account_password_hash_column is set, the password hash is verified in
     # ruby, it will not use a database function to do so, it will check the password
     # hash using bcrypt.
@@ -459,8 +460,12 @@ module Rodauth
 
     private
 
+    def _around_rodauth
+      yield
+    end
+
     def database_function_password_match?(name, hash_id, password, salt)
-      db.get(Sequel.function(function_name(name), hash_id, BCrypt::Engine.hash_secret(password, salt)))
+      db.get(Sequel.function(function_name(name), hash_id, password_hash_using_salt(password, salt)))
     end
 
     def password_hash_match?(hash, password)
@@ -588,6 +593,10 @@ module Rodauth
       @has_password = !!get_password_hash
     end
 
+    def password_hash_using_salt(password, salt)
+      BCrypt::Engine.hash_secret(password, salt)
+    end
+
     # Get the password hash for the user.  When using database authentication functions,
     # note that only the salt is returned.
     def get_password_hash

data/lib/rodauth/features/confirm_password.rb

@@ -26,11 +26,11 @@ module Rodauth
       require_account_session
       before_confirm_password_route
 
-      request.get do
+      r.get do
         confirm_password_view
       end
 
-      request.post do
+      r.post do
         if password_match?(param(password_param))
           transaction do
             before_confirm_password

data/lib/rodauth/features/disallow_password_reuse.rb

@@ -24,13 +24,16 @@ module Rodauth
 
     def add_previous_password_hash(hash) 
       ds = previous_password_ds
-      keep_before = ds.reverse(previous_password_id_column).
-        limit(nil, previous_passwords_to_check).
-        get(previous_password_id_column)
 
-      if keep_before
-        ds.where(Sequel.expr(previous_password_id_column) <= keep_before).
-          delete
+      unless @dont_check_previous_password
+        keep_before = ds.reverse(previous_password_id_column).
+          limit(nil, previous_passwords_to_check).
+          get(previous_password_id_column)
+
+        if keep_before
+          ds.where(Sequel.expr(previous_password_id_column) <= keep_before).
+            delete
+        end
       end
 
       # This should never raise uniqueness violations, as it uses a serial primary key
@@ -39,7 +42,7 @@ module Rodauth
 
     def password_meets_requirements?(password)
       super &&
-        password_doesnt_match_previous_password?(password)
+        (@dont_check_previous_password || password_doesnt_match_previous_password?(password))
     end
 
     private
@@ -71,6 +74,16 @@ module Rodauth
       previous_password_ds.delete
     end
 
+    def before_create_account_route
+      super if defined?(super)
+      @dont_check_previous_password = true
+    end
+
+    def before_verify_account_route
+      super if defined?(super)
+      @dont_check_previous_password = true
+    end
+
     def after_create_account
       if account_password_hash_column && !(respond_to?(:verify_account_set_password?) && verify_account_set_password?)
         add_previous_password_hash(password_hash(param(password_param)))

data/lib/rodauth/features/json.rb

@@ -0,0 +1,189 @@
+# frozen-string-literal: true
+
+module Rodauth
+  Feature.define(:json, :Json) do
+    translatable_method :json_not_accepted_error_message, 'Unsupported Accept header. Must accept "application/json" or compatible content type'
+    translatable_method :json_non_post_error_message, 'non-POST method used in JSON API'
+    auth_value_method :json_accept_regexp, /(?:(?:\*|\bapplication)\/\*|\bapplication\/(?:vnd\.api\+)?json\b)/i
+    auth_value_method :json_check_accept?, true
+    auth_value_method :json_request_content_type_regexp, /\bapplication\/(?:vnd\.api\+)?json\b/i
+    auth_value_method :json_response_content_type, 'application/json'
+    auth_value_method :json_response_custom_error_status?, true
+    auth_value_method :json_response_error_status, 400
+    auth_value_method :json_response_error_key, "error"
+    auth_value_method :json_response_field_error_key, "field-error"
+    auth_value_method :json_response_success_key, "success"
+    translatable_method :non_json_request_error_message, 'Only JSON format requests are allowed'
+
+    auth_value_methods(
+      :only_json?,
+      :use_json?,
+    )
+
+    auth_methods(
+      :json_request?,
+    )
+
+    auth_private_methods :json_response_body
+
+    def set_field_error(field, message)
+      return super unless use_json?
+      json_response[json_response_field_error_key] = [field, message]
+    end
+
+    def set_error_flash(message)
+      return super unless use_json?
+      json_response[json_response_error_key] = message
+    end
+
+    def set_redirect_error_flash(message)
+      return super unless use_json?
+      json_response[json_response_error_key] = message
+    end
+
+    def set_notice_flash(message)
+      return super unless use_json?
+      json_response[json_response_success_key] = message if include_success_messages?
+    end
+
+    def set_notice_now_flash(message)
+      return super unless use_json?
+      json_response[json_response_success_key] = message if include_success_messages?
+    end
+
+    def json_request?
+      return @json_request if defined?(@json_request)
+      @json_request = request.content_type =~ json_request_content_type_regexp
+    end
+
+    def use_json?
+      json_request? || only_json?
+    end
+
+    def view(page, title)
+      return super unless use_json?
+      return_json_response
+    end
+
+    private
+
+    def before_view_recovery_codes
+      super if defined?(super)
+      if use_json?
+        json_response[:codes] = recovery_codes
+        json_response[json_response_success_key] ||= "" if include_success_messages?
+      end
+    end
+
+    def before_webauthn_setup_route
+      super if defined?(super)
+      if use_json? && !param_or_nil(webauthn_setup_param)
+        cred = new_webauthn_credential
+        json_response[webauthn_setup_param] = cred.as_json
+        json_response[webauthn_setup_challenge_param] = cred.challenge
+        json_response[webauthn_setup_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_auth_route
+      super if defined?(super)
+      if use_json? && !param_or_nil(webauthn_auth_param)
+        cred = webauth_credential_options_for_get
+        json_response[webauthn_auth_param] = cred.as_json
+        json_response[webauthn_auth_challenge_param] = cred.challenge
+        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_login_route
+      super if defined?(super)
+      if use_json? && !param_or_nil(webauthn_auth_param) && account_from_login(param(login_param))
+        cred = webauth_credential_options_for_get
+        json_response[webauthn_auth_param] = cred.as_json
+        json_response[webauthn_auth_challenge_param] = cred.challenge
+        json_response[webauthn_auth_challenge_hmac_param] = compute_hmac(cred.challenge)
+      end
+    end
+
+    def before_webauthn_remove_route
+      super if defined?(super)
+      if use_json? && !param_or_nil(webauthn_remove_param)
+        json_response[webauthn_remove_param] = account_webauthn_usage
+      end
+    end
+
+    def before_otp_setup_route
+      super if defined?(super)
+      if use_json? && otp_keys_use_hmac? && !param_or_nil(otp_setup_raw_param)
+        _otp_tmp_key(otp_new_secret)
+        json_response[otp_setup_param] = otp_user_key
+        json_response[otp_setup_raw_param] = otp_key
+      end
+    end
+
+    def before_rodauth
+      if json_request?
+        if json_check_accept? && (accept = request.env['HTTP_ACCEPT']) && accept !~ json_accept_regexp
+          response.status = 406
+          json_response[json_response_error_key] = json_not_accepted_error_message
+          _return_json_response
+        end
+
+        unless request.post?
+          response.status = 405
+          response.headers['Allow'] = 'POST'
+          json_response[json_response_error_key] = json_non_post_error_message
+          return_json_response
+        end
+      elsif only_json?
+        response.status = json_response_error_status
+        response.write non_json_request_error_message
+        request.halt
+      end
+
+      super
+    end
+
+    def redirect(_)
+      return super unless use_json?
+      return_json_response
+    end
+
+    def return_json_response
+      _return_json_response
+    end
+
+    def _return_json_response
+      response.status ||= json_response_error_status if json_response[json_response_error_key]
+      response['Content-Type'] ||= json_response_content_type
+      response.write(_json_response_body(json_response))
+      request.halt
+    end
+
+    def include_success_messages?
+      !json_response_success_key.nil?
+    end
+
+    def _json_response_body(hash)
+      request.send(:convert_to_json, hash)
+    end
+
+    def json_response
+      @json_response ||= {}
+    end
+
+    def set_redirect_error_status(status)
+      if use_json? && json_response_custom_error_status?
+        response.status = status
+      end
+    end
+
+    def set_response_error_status(status)
+      if use_json? && !json_response_custom_error_status?
+        status = json_response_error_status
+      end
+
+      super
+    end
+  end
+end